The National Security Agency broke the law and ignored privacy protections thousands of times in each of the years since Congressional leaders expanded the agency’s power in 2008, according to a new report citing documents leaked by Edward Snowden.

The majority of the violations
are related to unauthorized surveillance on Americans or
foreigners inside the United States, conditions deemed illegal by
executive order, according to a new report from the Washington
Post.

The account is based on top-secret documents and a May 2012
internal NSA audit that found 2,776 infractions – including
unauthorized collection, storage, access to or distribution of
legally protected communications – in the preceding 12 months
alone. The audit, originally only meant to be seen by top NSA
leaders, only accounted for violations at NSA headquarters at
Fort Meade, Virginia, and other locations in the Washington DC
region.

Three government sources told the Post that the 2,776 infractions
would in fact be much higher had the audit included all NSA data
collection centers. Each of the 2,776 violations could have
potentially encompassed thousands of communications.

“One key to the Washington Post story,” tweeted journalist
Glenn Greenwald, who first published Snowden’s disclosures in
June, “the reports are internal, NSA audits, which means high
likelihood of both under-counting and white-washing.”

One of the most flagrant examples is a 2008 incident when a
“large number” of telephone calls were inadvertently
intercepted because a programmer erroneously typed “202” instead
of “20,” Egypt’s national calling code, according to a
“quality assurance” memorandum never seen by NSA oversight
staff.

Another time, the NSA kept 3,032 files they were ordered to
destroy by the Foreign Intelligence Surveillance Act (FISA)
court. Each individual file included an undisclosed number of
telephone call records, according to the Post.

In separate incident, the NSA failed to notify the FISA court
about a new collection method the agency was using for months, at
which point the court deemed the method unconstitutional. The
agency reportedly “diverted large volumes of international
data passing through fiber-optic cables in the United States into
a repository where the material could be stored temporarily for
processing and selection.”

This finding, and others like it, refutes claims made by NSA
chief Keith Alexander and other brass that the government does
not store or process the information it collects. As per NSA
policy, the number of Americans affected was not disclosed in the
top-secret documents.

NSA officials also failed to explain why, with the number of
violation lower in 2008 and 2009 than in later years, violations
only increased as time went on.

US District Judge Reggie Walton, the chief judge of the FISA
court, admitted that the court’s rulings are based only on
information provided by the government. Consequently, judges
entrusted with determining what the NSA may and may not do are
forced to rely on the NSA to prove the government has not and
will not overstep its legal bounds.

“The [FISA court] is forced to rely upon the accuracy of the
information that is provided to the Court,” Walton wrote to
The Washington Post. “The [FISA court] does not have the
capacity to investigate issues of noncompliance, and in that
respect the [FISA court] is in the same position as any other
court when it comes to enforcing [government] compliance with its
orders.”

Privacy advocates have previously expressed concern that the
court is never informed of many of the violations. Even when the
court is informed of the agency’s intentions, however, the judges
are sometimes ignored.

A recently declassified Justice Department review from 2009
discovered a “major operational glitch that had led to a
series of significant violations of the court’s order and
notified the court.” While specifics of the error were not
disclosed, problems including the so-called
“over-collection” of phone call metadata were
reported.

“The problems generally involved the implementation of highly
sophisticated technology in a complex and ever-changing
communications environment which, in some instances, results in
the automated tools operating in a manner that was not completely
consistent with the specific terms of the Court’s orders,” a
December 2009 memo to the Senate and House intelligence
committees stated.

The Washington Post notified the NSA of Thursday’s report before
it was published, at which point the agency said it stops
mistakes “at the earliest possible moment, implement
mitigation measures wherever possible, and drive them
down.”

“We’re a human-run agency operating in a complex environment
with a number of different regulatory regimes, so at times we
find ourselves on the wrong side of the line,” said one
senior official who spoke on the condition of
anonymity. “You can
look at a number in absolute terms that looks big, and you look
at it in relative terms, it looks a little
different.”

The documents also described a tutorial that NSA collectors and
analysts are required to complete. Titled the “Target Analysts
Rationale Instructions,” the training instructs employees on how
to complete oversight requirements without revealing
“extraneous information” to “our FAA overseers,” a
reference to the FISA Amendments Act of 2008.

California Senator Dianne Feinstein said she did not receive a
copy of the audit until questioned by the Post, despite her
position as Senate Intelligence Committee Chairman. She said the
committee “can and should do more to independently verify that
NSA’s operations are appropriate, and its reports of compliance
incidents are accurate.”

The timing of the report comes just after US President Barack
Obama defended the NSA’s widespread domestic and foreign
surveillance. Obama said the programs were necessary to protect
national security and legitimate partly because of comprehensive
oversight.

“If you look at the reports – even the disclosures that Mr.
Snowden has put forward – all the stories that have been written,
what you’re not reading about is the government actually abusing
these programs and listening in on people’s phone calls or
inappropriately reading people’s emails,” Obama said.

“What you’re hearing about is the prospect that these could be
abused. Now, part of the reason they’re not abused is because
these checks are in place, and those abuses would be against the
law and would be against the orders of the Foreign Intelligence
Surveillance Court.”

After the initial report was published Thursday night the
Washington Post issued an appendix revealing that after reporters
spoke with NSA leadership, the Obama administration refused allow
the Post to publish their names or official titles. The
explanation from the newspaper is reproduced in full below:

"The Obama administration referred all questions for this
article to John DeLong, the NSA’s director of compliance, who
answered questions freely in a 90-minute interview. DeLong and
members of the NSA communications staff said he could be quoted
“by name and title” on some of his answers after an unspecified
internal review. The Post said it would not permit the editing of
quotes. Two days later, White House and NSA spokesmen said that
none of DeLong’s comments could be quoted on the record and sent
instead a prepared statement in his name. The Post declines to
accept the substitute language as quotations from DeLong. The
statement is below.

"We want people to report if they have made a mistake or even
if they believe that an NSA activity is not consistent with the
rules. NSA, like other regulated organizations, also has a
“hotline” for people to report — and no adverse action or
reprisal can be taken for the simple act of reporting. We take
each report seriously, investigate the matter, address the issue,
constantly look for trends, and address them as well — all as a
part of NSA’s internal oversight and compliance efforts. What’s
more, we keep our overseers informed through both immediate
reporting and periodic reporting. Our internal privacy compliance
program has more than 300 personnel assigned to it: a fourfold
increase since 2009. They manage NSA’s rules, train personnel,
develop and implement technical safeguards, and set up systems to
continually monitor and guide NSA’s activities. We take this work
very seriously."